Fintech & regulatory

Compliance

How the current policy set maps to common compliance frameworks. Coverage is advisory: it is measured against the controls mapped in opserapol, not the full framework, and is not an audit artifact.

PCI DSS4.0100%

Payment Card Industry Data Security Standard

14 of 14 mapped controls covered
SOC 22017 TSC100%

AICPA Trust Services Criteria (Security)

6 of 6 mapped controls covered
CIS Kubernetes Benchmarkv1.8100%

Section 5 — policies enforceable at admission

16 of 16 mapped controls covered
NIST SP 800-53rev. 5100%

Security and privacy controls

13 of 13 mapped controls covered
ISO/IEC 270012022100%

Annex A controls

7 of 7 mapped controls covered
DORAEU 2022/2554100%

Digital Operational Resilience Act (EU financial entities)

5 of 5 mapped controls covered
DORA EU 2022/2554dora
5/5 (100%)
ControlTitleMapped policies
Art. 9.2Protection and prevention — ICT security policies and tools
30-Day Scan Age90-Day Image AgeADD Command used instead of COPYAlpine Linux Package Manager (apk) in ImageCAP_SYS_ADMIN capability addedContainer using read-write root filesystemContainer with privilege escalation allowedCurl in ImageDeployments should have at least one ingress Network PolicyDeployments with externally exposed endpointsDocker CIS 4.1: Ensure That a User for the Container Has Been CreatedDocker CIS 4.4: Ensure images are scanned and rebuilt to include security patchesDocker CIS 4.7: Alert on Update InstructionDocker CIS 5.1 Ensure that, if applicable, an AppArmor Profile is enabledDocker CIS 5.15: Ensure that the host's process namespace is not sharedDocker CIS 5.16: Ensure that the host's IPC namespace is not sharedDocker CIS 5.19: Ensure mount propagation mode is not enabledDocker CIS 5.21: Ensure the default seccomp profile is not disabledDocker CIS 5.7: Ensure privileged ports are not mapped within containersDocker CIS 5.9 and 5.20: Ensure that the host's network namespace is not sharedEmergency Deployment AnnotationEnvironment Variable Contains SecretFixable CVSS >= 6 and PrivilegedInsecure specified in CMDIptables or nftables Executed in Privileged ContainerKubernetes Dashboard DeployedLinux Group Add ExecutionLinux User Add ExecutionLogin BinariesMount Container Runtime SocketMounting Sensitive Host DirectoriesNo CPU request or memory limit specifiedPod Service Account Token Automatically MountedPrivileged ContainerPrivileged Containers with Important and Critical Fixable CVEsProcess with UID 0Red Hat Package Manager ExecutionRed Hat Package Manager in ImageRequired Annotation: EmailRequired Annotation: Owner/TeamRequired Image LabelRequired Label: Owner/TeamSecret Mounted as Environment VariableSecure Shell (ssh) Port ExposedSecure Shell (ssh) Port Exposed in ImageSecure Shell Server (sshd) ExecutionUbuntu Package Manager in ImageWget in Image
Art. 9.4(b)Network and infrastructure segmentation
Art. 9.4(c)Patching and updates of ICT systems
Art. 10.1Detection of anomalous activities and ICT incidents
Art. 28.1ICT third-party risk — supply chain integrity